Password recovery tools fill a very useful place in today’s login-crazy Web, but the helpful boon has turned into a hindering bane for Skype users. For at least two months, hackers have known — and presumably been using — a flaw in Skype’s password recovery tool that allowed anyone to easily take control of any account if they know its associated email address.
The Next Web successfully managed to recreate the exploit, which was first published on a Russian forum. After performing a few simple steps and a sending a password reset token request to the Skype app itself rather than the owner’s inbox, the website was able to seize control of its editor’s Skype account within minutes. TNW successfully repeated the vulnerability with several other accounts.
Fortunately, Skype and Microsoft leaped right on top of the vulnerability after The Next Web shined a light on the issue. Shortly after the article aired, Skype sent out the following statement:
We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.
Update 1:52 P.M. EST: Well, that was fast. Skype just reached out to let us know that the vulnerability has been fixed and the service’s password reset options are up and running once again. Read the brief details here.